You are free to read the BIMI standard's section 2.1 containing its high-level goals.
The next section also literally says "This document does not cover the different verification and reputation mechanisms available, but BIMI relies upon them to be in deployed in order to control abuse." It's not a standard meant for establishing trust, it does not mandate requiring a VMC.
Just like with e-mail, it doesn’t matter what’s in the standard, what matters is what the big providers actually do. If Google (Gmail), Microsoft, etc. will simply show any BIMI logo without VMC verification (which will never happen), then I will concede that BIMI is not a monopolizing standard. It’ll just be a tracking pixel.
Showing any BIMI logo is an absolutely unreasonable thing to demand from a large-scale BIMI implementation. It does not make it "monopolizing", I don't think you even know what the word means.
When the big providers all require VMC to show BIMI, then VMC is not optional, no matter what the spec says. Claiming it is optional is then disingenuous.
As I said in the linked post, logo verification is not a problem which can be solved. Identical trademarks can legitimately be issued in different fields, and both still be valid. Let’s say you are a brick manufacturer, and have paid an arm and a leg to a VMC certificate authority (previously a HTTPS EV certificate authority) for your logo, a nice iconic square logo. Then someone else can simply come along, register a flower shop in another country, use a different VMC issuer and get an identical logo issued to them. They can now send e-mail invoices to your customers with your logo on it, legitimately obtained, and the BIMI system will have trained your customers to trust your logo.
Any fix for this you try to implement will make the system even less usable for its stated purpose, or more suited to only large players and unusable in practice for smaller operators.
> When the big providers all require VMC to show BIMI, then VMC is not optional, no matter what the spec says. Claiming it is optional is then disingenuous.
What do you mean "no matter what the spec says", it is the spec we're talking about. It is what you argued against several times.
If you had started with saying "big providers' implementations of BIMI", then it wouldn't be wrong to say it's required but it's still not "monopolizing". Requiring you to prove your claims using a third unrelated party is simply not that.
> As I said in the linked post, logo verification is not a problem which can be solved. [...] and the BIMI system will have trained your customers to trust your logo.
There are caveats to each system. It does not mean the problem is not solvable to a large extent.
Secondly, it's pretty clear who to jail for the attack described. I'd say it's even a positive side of the system if that's the type of attacks we'd get.
> Any fix for this you try to implement will make the system even less usable for its stated purpose, or more suited to only large players and unusable in practice for smaller operators.
That's simply not true. The price of a VMC is really not that high for any business that doesn't only employ one man and his dog.
Still relevant, since we were discussing email, it would not need the whole "internet community" to agree, just a handful or two of provider could impose it in practice.
Standard are useless if majors providers apply a different de facto norm. That behavior has a name, it is called a cartel. And on some matters, that is punishable by law.
The next section also literally says "This document does not cover the different verification and reputation mechanisms available, but BIMI relies upon them to be in deployed in order to control abuse." It's not a standard meant for establishing trust, it does not mandate requiring a VMC.